File CVE-2023-43665.patch of Package python-Django

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-43665.patch of Package python-Django

Index: Django-1.11.29/django/utils/text.py
===================================================================
--- Django-1.11.29.orig/django/utils/text.py
+++ Django-1.11.29/django/utils/text.py
@@ -71,7 +71,14 @@ def wrap(text, width):
 class Truncator(SimpleLazyObject):
 """
 An object used to truncate text, either by characters or words.
+
+ When truncating HTML text (either chars or words), input will be limited to
+ at most `MAX_LENGTH_HTML` characters.
 """
+
+ # 5 million characters are approximately 4000 text pages or 3 web pages.
+ MAX_LENGTH_HTML = 5000000
+
 def __init__(self, text):
 super(Truncator, self).__init__(lambda: force_text(text))
 
@@ -172,6 +179,11 @@ class Truncator(SimpleLazyObject):
 if words and length <= 0:
 return ''
 
+ size_limited = False
+ if len(text) > self.MAX_LENGTH_HTML:
+ text = text[: self.MAX_LENGTH_HTML]
+ size_limited = True
+
 html4_singlets = (
 'br', 'col', 'link', 'base', 'img',
 'param', 'area', 'hr', 'input'
@@ -221,10 +233,14 @@ class Truncator(SimpleLazyObject):
 # Add it to the start of the open tags list
 open_tags.insert(0, tagname)
 
+ truncate_text = self.add_truncation_text("", truncate)
+
 if current_len <= length:
+ if size_limited and truncate_text:
+ text += truncate_text
 return text
+
 out = text[:end_text_pos]
- truncate_text = self.add_truncation_text('', truncate)
 if truncate_text:
 out += truncate_text
 # Close any tags still open
Index: Django-1.11.29/tests/utils_tests/test_text.py
===================================================================
--- Django-1.11.29.orig/tests/utils_tests/test_text.py
+++ Django-1.11.29/tests/utils_tests/test_text.py
@@ -2,6 +2,7 @@
 from __future__ import unicode_literals
 
 import json
+from unittest.mock import patch
 
 from django.core.exceptions import SuspiciousFileOperation
 from django.test import SimpleTestCase
@@ -99,6 +100,23 @@ class TestUtilsText(SimpleTestCase):
 truncator = text.Truncator(value)
 self.assertEqual(expected if expected else value, truncator.chars(10, html=True))
 
+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10000)
+ def test_truncate_chars_html_size_limit(self):
+ max_len = text.Truncator.MAX_LENGTH_HTML
+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+ valid_html = "Joel is a slug" # 14 chars
+ perf_test_values = [
+ ("</a" + "\t" * (max_len - 6) + "//>", None),
+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 4 + "..."),
+ ("&" * bigger_len, "&" * 7 + "..."),
+ ("_X<<<<<<<<<<<>", None),
+ (valid_html * bigger_len, "Joel is..."), # 10 chars
+ ]
+ for value, expected in perf_test_values:
+ with self.subTest(value=value):
+ truncator = text.Truncator(value)
+ self.assertEqual(expected if expected else value, truncator.chars(10, html=True))
+
 def test_truncate_words(self):
 truncator = text.Truncator('The quick brown fox jumped over the lazy dog.')
 self.assertEqual('The quick brown fox jumped over the lazy dog.', truncator.words(10))
@@ -108,6 +126,26 @@ class TestUtilsText(SimpleTestCase):
 truncator = text.Truncator(lazystr('The quick brown fox jumped over the lazy dog.'))
 self.assertEqual('The quick brown fox...', truncator.words(4))
 
+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10000)
+ def test_truncate_words_html_size_limit(self):
+ max_len = text.Truncator.MAX_LENGTH_HTML
+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+ valid_html = "Joel is a slug" # 4 words
+ perf_test_values = [
+ ("</a" + "\t" * (max_len - 6) + "//>", None),
+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "..."),
+ ("&" * max_len, None), # no change
+ ("&" * bigger_len, "&" * max_len + "..."),
+ ("_X<<<<<<<<<<<>", None),
+ (valid_html * bigger_len, valid_html * 12 + "Joel is..."), # 50 words
+ ]
+ for value, expected in perf_test_values:
+ with self.subTest(value=value):
+ truncator = text.Truncator(value)
+ self.assertEqual(
+ expected if expected else value, truncator.words(50, html=True)
+ )
+
 def test_truncate_html_words(self):
 truncator = text.Truncator(
 'The quick brown fox jumped over the lazy dog.'

Places

File CVE-2023-43665.patch of Package python-Django

Places